Data Broker Compliance in the Spotlight

The California Privacy Protection Agency (CPPA) made headlines on November 14, 2024, by issuing its first significant monetary penalties related to data brokers, totaling nearly $70,000, in settlements with two data brokers, Growbots Inc. and UpLead LLC. These penalties were levied for alleged non-compliance with the registration requirements of the California Delete Act (Act) and the related data broker registry. This action is part of a broader investigative sweep aimed at ensuring data brokers adhere to the regulations of the Act, in preparation for the rollout of the CPPA's centralized deletion mechanism slated for 2026.

In addition to its enforcement actions, the CPPA has also recently finalized regulations for data brokers to support implementation of the Act in 2025. The CPPA has sent the proposed regulations to the California Office of Administrative Law (OAL) for final approval. Should OAL approve the proposals and submit them to the secretary of state by November 30, 2024, the new regulations would be effective on January 1 for the 2025 data broker registration period. Some of those updates are technical in nature, but one major change will functionally expand the definition of what it means to be a "data broker" in California to encompass many businesses that would not consider themselves to be engaged in that type of activity. As explained below, if your business engages in the "sale" of personal information about a consumer that you did not collect directly from that consumer, you might be a data broker in the eyes of the CPPA. With an increased focus on enforcement, and a January 2025 registration period looming, companies should pay attention to what California is doing.

CPPA Board Approves Key Updates to Data Broker Regulations

On November 8, 2024, the CPPA Board unanimously approved updates to data broker regulations under the California Delete Act. Here is a summary of the key updates:

1. Broader Definition of "Data Broker": The Act defines a data broker as a business that knowingly collects and sells the personal information of consumers with whom it does not have a direct relationship. Under the new regulations, the definition of "direct relationship" could expand California's data broker registry requirements to many "first party" businesses by stating that businesses that have a direct relationship with consumers, but sell personal information that they did not collect directly from those consumers, are "data brokers" for purposes of the Act. As a result, businesses that traditionally might not be classified as data brokers could be classified as such if they sell information they did not collect directly.
2. Increased Fee: The registration fee for 2025 would be increased from $400 to $6,600 (plus processing fees), which is meant to offset in part the cost of developing the CPPA's deletion mechanism.
3. Payment Requirement: Data brokers would be required to pay the registration fee by credit card, though certain exceptions could apply.
4. Individual Registration for Parent and Subsidiary Companies: All data broker businesses, including parent companies and subsidiaries, would be required to register individually.
5. Confidential Point of Contact: Data brokers would be required to designate a point of contact with the CPPA. This contact would not appear in the public registry.
6. Reporting Requirements for Exempt Entities: Entities that may be subject to exceptions to the Act for other state and federal laws would be subject to new reporting requirements.
7. Perjury Requirement: Data brokers would be required to sign registrations, under penalty of perjury, regarding the accuracy of the information provided.

What Should You Do?

These recent updates to the Act's regulations have introduced several important changes for any company that may be defined as a "data broker" in California. Companies can make the following preparations.

1. Evaluate Data Practices. Companies should assess their current data practices to determine if they involve "sales" of personal information that could classify them as "data brokers." Even if your business has a "direct relationship" with consumers, the updated regulations could sweep in activity you did not previously consider as "data broker" activity. This could include evaluating whether your data is enhanced by third party data, such that selling this enhanced personal information through your day-to-day activity could now classify you as a data broker.
2. Prepare Registration. Companies considered data brokers should register by the January 31, 2025 deadline to avoid penalties. Failure to register by January 31 may result in daily administrative fines of $200, and the CPPA is watching.
3. Designate a Confidential Point of Contact. Name a point of contact for the CPPA, ensuring this individual's information remains confidential and does not appear on the public registry.
4. "Exempt" Entities Should Review Reporting Requirements. If you have previously relied on a statutory exemption to the data broker registry in California, you should review the proposed reporting requirements to determine whether and how to comply with those updated rules.